_____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin OpenWindows 2.0 selection_svc Vulnerability January 16, 1991, 1700 PST Number B-11 ________________________________________________________________________ PROBLEM: Security vulnerability on Sun computers running OpenWindows 2.0 allows theft of critical files. PLATFORM: SunOS release 4.0.3, 4.1 , Sun386i 4.0.1/4.0.2 DAMAGE: Theft of critical system files. PATCH: Available through anonymous ftp from ftp.uu.net or from Sun (contact Sun at 1-800-USA4SUN for details). A patch for SunOS 4.0.3 will be available soon. Critical Facts about the OpenWindows 2.0 selection_svc Vulnerability _______________________________________________________________________ Critical Facts about the OpenWindows 2.0 selection_svc Vulnerability CIAC has been advised that there is a vulnerability (Sun Bugid 1040747) in systems running OpenWindows 2.0 in compatibility mode. This problem is similar in scope to the SunView/SunTools selection_svc vulnerability described in CIAC Information Bulletin Number A-32, (Sun Bugid 1039576 and Sun Patchid 100085-03), excerpted here: The SunView/SunTools selection_svc facility may allow a remote user unauthorized access to selected files from a computer running SunView. [...] Because the selection_svc process continues to run until terminated, this vulnerability can be exploited even after a user changes to another window system after running SunView/SunTools or logs off the system. (The problem is in SunView/SunTools, however, and not with other window systems such as X11.) In essence, the SunView/SunTools bug allows an unauthorized user on a remote system to read any file that is readable to the user running SunView. In addition, an unauthorized user on a remote 386i system can read any file on a workstation running SunView regardless of protections. Please note that if root runs Sunview, all files are potentially accessible by a remote system. The threat to OpenWindows is similar to the above. Sun gives more details: One of the OpenWindows 2.0 tools uses the same mechanism for displaying sunview windows in OpenWindows 2.0 in compatibility mode [ as the unfixed SunView/SunTools selection_svc ]. This tool "sv_xv_sel_svc" should be replaced with the new version. If the password file is world readable, an intruder can copy this file and attempt to guess passwords. This threat can be eliminated if you obtain and install a new version of sv_xv_sel_svc from the Sun Answer Centers or uunet. Binaries for both a Sun3 and Sun4 are available. The Bugid for this is 1040747 and Patchid is 100184-02. If you obtain your patch from uunet, please note that the checksum of this compressed tarfile is 100184-02.tar.Z: 33786 35 The following installation instructions are provided by Sun Microsystems. (No additional README information will be available from uunet.) Patch-ID# 100184-02 Keywords:bugid 1040747 Synopsis: sv_xv_sel_svc and rpc can be used to gain access to system files Date: 14/Dec/90 SunOS release: 4.0.3 or later Unbundled Product: Open Windows Unbundled Release: Version 2 Topic: BugId's fixed with this patch: 1040747 Architectures for which this patch is available: sun4 sun3 Patches which may conflict with this patch: Obsoleted by: Open Windows Version 3 Problem Description: sv_xv_sel_svc and rpc can be used to gain access to system files. INSTALL: mv $OPENWINHOME/bin/xview/sv_xv_sel_svc $OPENWINHOME/bin/xview/sv_xv_sel _svc.orig cp `arch`/sv_xv_sel_svc $OPENWINHOME/bin/xview/sv_xv_sel_svc To obtain this patch from the Sun Answer Center, call your local Sun answer center, phone (800) USA-4SUN, or send e-mail to: security-features@sun.com To reach Sun Microsystems' customer warning system, send e-mail to: security-alert@sun.com or leave a message on the voice mail system at (415) 336-7205. Please also advise CIAC of any new vulnerabilities you may discover. David S. Brown (415) 423-9878 or (FTS) 543-9878 Send e-mail to ciac@tiger.llnl.gov Call CIAC at (415) 422-8193 or (FTS) 532-8193, or send FAX messages to (415) 423-0913 or (FTS) 543-0913. FELIX, the CIAC Bulletin Board, can be accessed at 1200 or 2400 baud at (415) 423-4753 or (FTS) 543-4753. (9600 baud access can be obtained from Lawrence Berkeley and Lawrence Livermore Laboratories at 423-9885.) This announcement bulletin was prepared with assistance from Dave Liebreich, Sterling Software @ NASA Ames Research Center. CERT/CC and Brad Powell of Sun Microsystems provided information included in this bulletin. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.